Risky business services: Who’s accessing your corporate data? · business services industry using...
1
ACCOUNTING BitSight analysed the security of four sectors—Law, Benefits, Accounting, and PR—within the business services industry using our proprietary Security Ratings. These ratings range from 250 to 900, with higher ratings indicating better security performance. BitSight analyses terabytes of security data to gather, process and assign this information. When thinking about “risky” industries, people often think of banks, manufacturers, suppliers, etc. But have you stopped to think about the third-party vendors in business services? Mandiant, a security consultant services organisation, investigated industries with a high number of cyber security intrusions. According to their fin dings, business and professional services are the highest at 17%. Other Aerospace & Defence Transportation Health Care High Tech & IT Legal Services Govt & Int’l Organisations Construction & Engineering Media & Entertainment Business & Professional Services Retail Financial Services 8% 3% 5% 6% 7% 7% 7% 8% 8% 10% 14% 17% THE FOUR SECTORS BENEFITS LAW PR SO WHAT WAS EACH SEGMENT’S RATING? Tax Information Financial Statements Employee Information Earnings Reports Product Launches Crisis Mitigation Plans Payroll Personally Identifiable Information Social Security Numbers Current Litigation Evidence Sensitive Information On Directors & Officers 740 Advanced 615 Basic 725 Intermediate 670 Intermediate THE TAKEAWAY When it comes to third party risk management, many businesses immediately think of their bank or critical suppliers. It is often overlooked that many other third parties—particularly companies that provide services to other companies—have access to very sensitive data. Some business services sectors did surprisingly well, including benefits administration companies, which have access to sensitive employee health insurance information, social security numbers and other personal information. Accounting firms, which have access to financial statements and accounting information, also rated relatively highly. Other industries did not fare as well. Law firms have access to sensitive data on their clients, and though quick to remediate issues that arise on their networks, law firms generally have more infections and configuration issues. Perhaps more worrying is the performance of PR firms, as many have access to extremely valuable data like earnings reports and product launch details. This point was recently highlighted by the theft of earning reports from newswires that allowed traders to make stock market trades and amass more than $100 million. Regardless of sector, any third party with access to sensitive data needs to be monitored on a continuous basis in order to identify when the security posture of an important vendor has changed. Businesses can then proactively communicate with third parties about potential issues as they arise. WHAT’S AT STAKE? HOW QUICKLY ARE ISSUES REMEDIATED? 1.8 Days 1.3 Days 2.3 Days Findings: While PR agencies handle sensitive data, there’s a wider spread of results in the industry. Some PR firms have excellent security and remediation in place, and others do not. PR as a whole should encourage industry players to reach higher standards. Findings: Consistent performance with little variation from company to company. 1.9 Days Findings: Despite having a worse performance than Law and Benefits, Accounting still demonstrates consistent performance. Findings: Very consistent performance with little variation from company to company. Given the complexity of finding and removing some botnets from the network, resolving these events in less than two days represents significant commitment and a successful deployment of resources. BitSight defines Basic performance as ratings from 250-639, Intermediate as 640-739, and Advanced as 740-900. HOW DOES BITSIGHT CALCULATE SECURITY RATINGS? Risky business services: Who’s accessing your corporate data? Email [email protected] for a free consultation on how you can apply Bitsight Security Ratings to your enterprise. Copyright © 2016 Singapore Telecommunications Ltd (CRN:199201624D). All rights reserved.
Transcript of Risky business services: Who’s accessing your corporate data? · business services industry using...
ACCOUNTING
BitSight analysed the security of four sectors—Law, Benefits, Accounting, and PR—within the business services industry using our proprietary Security Ratings. These ratings range from
250 to 900, with higher ratings indicating better security performance. BitSight analyses terabytes of security data to gather, process and assign this information.
When thinking about “risky” industries, people often think of banks, manufacturers, suppliers, etc. But have you stopped to think about the third-party vendors in business services?
Mandiant, a security consultant services organisation, investigated industries with a high number of cyber security intrusions. According to their findings,
business and professional services are the highest at 17%.
Other Aerospace& Defence
Transportation Health Care High Tech& IT
LegalServices
Govt & Int’lOrganisations
Construction &Engineering
Media &Entertainment
Business &Professional
Services
RetailFinancialServices
8% 3% 5% 6% 7% 7% 7% 8% 8% 10% 14% 17%
THE FOUR SECTORS
BENEFITSLAW PR
SO WHAT WAS EACH SEGMENT’S RATING?
Tax Information
Financial Statements
Employee Information
Earnings Reports
Product Launches
Crisis Mitigation Plans
Payroll
Personally IdentifiableInformation
Social Security Numbers
Current Litigation
Evidence
Sensitive InformationOn Directors &
Officers
740Advanced
615Basic
725Intermediate
670Intermediate
THE TAKEAWAY
When it comes to third party risk management, many businesses immediately think of their bank or critical suppliers. It is often overlooked that many other third parties—particularly companies that provide services to other companies—have access to very sensitive data.
Some business services sectors did surprisingly well, including benefits administration companies, which have access to sensitive employee health insurance information, social security numbers and other personal information. Accounting firms, which have access to financial statements and accounting information, also rated relatively highly.
Other industries did not fare as well. Law firms have access to sensitive data on their clients, and though quick to remediate issues that arise on
their networks, law firms generally have more infections and configuration issues. Perhaps moreworrying is the performance of PR firms, as many have access to extremely valuable data like earnings reports and product launch details. This point was recently highlighted by the theft of earning reports from newswires that allowed traders to make stock market trades and amass more than $100 million.
Regardless of sector, any third party with access to sensitive data needs to be monitored on a continuous basis in order to identify when the security posture of an important vendor has changed. Businesses can then proactively communicate with third parties about potential issues as they arise.
WHAT’S AT STAKE?
HOW QUICKLY ARE ISSUES REMEDIATED?
1.8Days
1.3Days
2.3Days
Findings: While PR agencies
handle sensitive data,there’s a wider spread
of results in the industry. Some PR
firms have excellent security and
remediation in place,and others do not.
PR as a whole should encourage industry
players to reach higher standards.
Findings: Consistent
performance withlittle variation from
company tocompany.
1.9Days
Findings:Despite having a
worse performancethan Law and
Benefits, Accountingstill demonstrates
consistent performance.
Findings: Very consistent
performance with little variation from
company to company.
Given the complexity of finding and removing some botnets from the
network, resolving these events in less than two days represents significant commitment and a
successful deployment of resources.
BitSight defines Basic performance as ratings from 250-639, Intermediate as 640-739, and Advanced as 740-900.
HOW DOES BITSIGHT CALCULATE SECURITY RATINGS?
Risky business services:Who’s accessing your
corporate data?
Email [email protected] for a free consultation onhow you can apply Bitsight Security Ratings to your enterprise.
Copyright © 2016 Singapore Telecommunications Ltd (CRN:199201624D). All rights reserved.
